Businesses face risk every day. Managing risk is critical, and that process starts with a risk assessment. Cybersecurity is all about understanding, managing, controlling and mitigating risk to your organization’s critical assets. If you don’t assess your risks, they cannot be properly managed, and your business is left exposed to threats.

Risk assessments are used to identify, estimate and prioritize risks to organizational operations and assets resulting from the operation and use of information systems. Risk assessments can be performed on any application, function, or process within your organization. A successful risk assessment process should align with your business goals and help you cost-effectively reduce risks.

Basic risk assessment involves only three factors: the importance of the assets at risk, how critical the threat is, and how vulnerable the system is to that threat. Using those factors, you can assess the risk – the likelihood of money loss by your organization.

Risk = Asset X Threat X Vulnerability

1. Identify Assets

Find all valuable assets across the organization that could be harmed by threats in a way that results in a monetary loss. Assets include servers, client contact information, sensitive partner documents, trade secrets and so on. For example: Servers , Website , Client contact information , Partner documents , Trade secrets , Customer credit card data etc.

For each asset, gather the following information, as applicable: Software , Hardware, Network topology, IT Security policies , IT Security architecture , Criticality , Functional requirements, Data, Interfaces, Information flow, Technical security controls , Physical security environment , Environmental security, Users , Support personnel , Information storage protection etc.

2. Characterize the System (Process, Function, or Application)

Characterizing the system will help you determine the viable threats. This should include (among other factors):

• What is it?
• What kind of data does it use?
• Who is the vendor?
• What are the internal and external interfaces that may be present?
• Who uses the system?
• What is the data flow?
• Where does the information go?

3. Identify potential consequences

Determine what financial losses the organization would suffer if a given asset were damaged. Here are some of the consequences you should care about:

Data loss: Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.

System or application downtime: If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.

Legal consequences: If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance

4. Identify Threats

A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Some common threats are: Natural disasters (Floods, earthquakes or fire), System failure , Accidental human interference and Malicious human actions (interference, interception or impersonation).

There are some basic threats that are going to be in every risk assessment, however depending on the system, additional threats could be included. Common threat types include:

• Unauthorized access (malicious or accidental) : This could be from a direct hacking attack / compromise, malware infection, or internal threat.
• Misuse of information (or privilege) by an authorized user : This could be the result of an unapproved use of data or changes made without approval.
• Data leakage or unintentional exposure of information: This includes permitting the use of unencrypted USB and / or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
• Loss of data: This can be the result of poor replication and back-up processes.
• Disruption of service or productivity.

5. Identify Vulnerabilities

A vulnerability is a weakness that a threat can exploit to breach security and harm your organization. Vulnerabilities can be identified through vulnerability analysis, audit reports, vendor data, commercial computer incident response teams, and system software security analysis.

Testing the IT system is also an important tool in identifying vulnerabilities like Penetration testing techniques or automated vulnerability scanning tools.

You can reduce your software-based vulnerabilities with proper patch management. But don’t forget about physical vulnerabilities. For example, moving your server room to the second floor of the building will greatly reduce your vulnerability to flooding.

6. Determine Inherent Risk & Impact

This step is done without considering your control environment. Factoring in how you characterized the system, you determine the impact to your organization if the threat was exercised. Examples of impact ratings are:

• High – Impact could be substantial.
• Medium – Impact would be damaging, but recoverable, and / or is inconvenient.
• Low – Impact would be minimal or non-existent.

7. Analyze Controls

Analyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system. We want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. For example : Organizational Risk Management Controls , User Provisioning Controls , Administration Controls , User Authentication Controls , Infrastructure Data Protection Controls , Data Center Physical & Environmental Security Controls and Continuity of Operations Controls.

Controls can be implemented through technical means, such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.

Both technical and nontechnical controls can further be classified as preventive or detective controls. As the name implies, preventive controls attempt to anticipate and stop attacks. Examples of preventive technical controls are encryption and authentication devices. Detective controls are used to discover attacks or events through such means as audit trails and intrusion detection systems.

Control assessment categories may be defined as:

• Satisfactory – Meets control objective criteria, policy, or regulatory requirement.
• Satisfactory with Recommendations – Meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation.
• Needs Improvement – Partially meets control objective criteria, policy, or regulatory requirement.
• Inadequate – Does not meet control objective criteria, policy, or regulatory requirement.

8. Determine a Likelihood Rating

Assess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls.

Examples of likelihood ratings are:

9. Assess the Impact

Impact analysis should include the following factors:

• The mission of the system, including the processes implemented by the system
• The criticality of the system, determined by its value and the value of the data to the organization
• The sensitivity of the system and its data
• The estimated frequency of the threat’s exploitation of a vulnerability on an annual basis
• The approximate cost of each of these occurrences
• A weight factor based on the relative impact of a specific threat exploiting a specific vulnerability

The impact on the system can be qualitatively assessed as high, medium or low.

10. Calculate Risk Rating

For each threat/vulnerability pair, we can determine the level of risk based on the following factors:

• The likelihood that the threat will exploit the vulnerability
• The impact of the threat successfully exploiting the vulnerability
• The adequacy of the existing or planned information system security controls for eliminating or reducing the risk

Some examples of risk ratings are:

• High – Not acceptable Risk, a significant and urgent threat to the organization exists and risk reduction remediation should be immediate.
• Medium – A viable threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
• Low – Acceptable Risk, the service can be used with the identified threats, but the threats must be observed to discover changes that could increase the risk level.

11. Recommend Controls

Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk. Here are some general guidelines for each level of risk:

• High – A plan for corrective measures should be developed as soon as possible.
• Medium – A plan for corrective measures should be developed within a reasonable period of time.
• Low – The team must decide whether to accept the risk or implement corrective actions.

Some of the controls for risk mitigation are – organizational policies, applicable regulations, cost-benefit analysis, the overall effectiveness of the recommended controls, operational impact, feasibility and safety and reliability

12. Document the Results

The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, and procedures and so on. For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.

To understand more about our engagement in Cybersecurity Risk Management Framework & Methodology Document development, speak with us today.